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SPECIFICATION 

AUTHENTICATION SYSTEM AND REMOTELY-DISTRIBUTED STORAGE SYSTEM 




BACKGROUND OF THE INVENTION 



Technical Field 

The present invention includes an authentication system, which is resilient against 
leakage of information related to authentication, and a remotely- distributed storage system 
using the authentication system for secure data storage. 

The present application claims the priority of Patent Application No. 2003*367527 filed 
on October 28, 2003, the contents of which are incorporated herein by reference. 



Description of the Related Art 

One of the well-known authentication methods so far is to use a user ID and a password 
that is known only by the user between a user terminal and a server. In order to 
authenticate each other in these methods, the user enters his/her ID and password into the 
terminal and if they match with information stored in the server the user is authenticated 
as a legitimate user. 

However, if these information are sent clearly on the communication path between the 
terminal and the server an attacker, who gets the information (ID and password) illegally 
or by eavesdropping the channel, can impersonate the user or do wrongdoings easily. 
Therefore, encryption techniques such as SSL (Document l), TLS (Document 2), and SSH 
(Document 3) are usually used for sending/receiving these information. For authentication, 
the techniques make use of a combination of passwords, secret values, and public values. 

(Document l) A. Frier, P. Karlton, and P.Kocher. The SSL 3.0 ProtocoLNetscape 
Communication Corp., 1996, http7/wp.netscape.com/eng/ssl3/ 

(Document 2) IETF (Internet Engineering Task Force). Transport Layer Security (tls) 
Charter.http"//www.ietf.org/html.charters/tls-charter.html 

(Document 3) IETF (Internet Engineering Task Force). Secure Shell (secsh) 
Charter.httpV/wwwietf.org/html.charters/secsh-charter.html 

However, a problem existing within the the above non-patent Documents 1 to 3 is that 
password can be obtained through off-line dictionary attacks when password -encoded (or 
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password- related) information is leaked from a user terminal or password verification 
data is leaked from a server. As for on-line dictionary attacks (e.g., repeated inputs of 
password candidates for the correct one by impersonating a user or a server), a server can 
take a security policy by denying access after the specified number of wrong password 
inputs. Compared to on-line attacks, off-line dictionary attacks are much more powerful in 
that there is no available precaution and an attacker can find the correct password without 
interaction with a user or a server. In addition, if a password is leaked out, the data stored 
in the system to which a user can log in using the password can be exposed as well. 

SUMMARY OF THE INVENTION 
A purpose of the present invention is to design an authentication system that can 
provide not only resilience against information leakage but also establishment of session 
keys for secure subsequent communications. 

A purpose of the present invention is to design a remotely- distributed storage system 
using the authentication system of the present invention for secure data storage. 

The essence of the present invention relates to an authentication system for mutual 
authentication between a terminal and a server. The terminal comprises of a data 
extension means that yields password verification data H for server registration and 
authentication information P' for memory 12 based on a password previously -determined 
by the user; a memory means that stores the authentication information P* yielded by the 
data extension means! a concatenation means that yields a value P using a specific 
calculation formula with the input of the authentication information P' read from the 
memory and a password entered for authentication; a mask operation means that yields a 
value Yl using a specific calculation formula with the input of the value P and an internally 
generated random number Rl, and sends Yl to the sever; a master key generation means 
that yields a value MK using a specific calculation formula with the input of the value P 
and the internally generated random number Rl and a value Y2 received from the server; 
and an authentication result verification means that yields a value VI using a specific 
calculation formula with the input of the value MK, sends VI to the server, and then 
compares a value V2 received from the server with the value VI and, if they match, 
authenticates the server. The server comprises of a memory means that stores the 
password verification data H yielded by the data extension means; a mask operation means 
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that yields a value Y2 using a specific calculation formula with the input of the password 
verification data H read from the memory means and an internally generated random 
number R2 and sends Y2 to the terminal; a master key generation means that yields a 
value MK using a specific calculation formula with the input of the password verification 
data H, the internally generated random number R2 and a value Yl received from the 
terminal; and an authentication result verification means that yields a value V2 using a 
specific calculation formula with the input of the value MK, sends V2 to the terminal and 
then compares a value VI received from the terminal with the value V2 and, if they match, 
authenticates the terminal. 

The essence of the present invention relates to an authentication program that runs 
on the terminal of an authentication system for mutual authentication between the 
terminal and a server. The program allows a computer to execute a data extension process 
to yield password verification data H for server- registration and authentication information 
P' for memory 12 based on a password previously- determined by the user; a memory 
process to store the authentication information P' yielded in the data extension process; a 
concatenation process to yield a value P using a specific calculation formula with the input 
of the authentication information P' stored in the memory process and a password entered 
for authentication; a mask operation process to yield a value Yl using a specific calculation 
formula with the input of the value P and an internally generated random number Rl and 
send Yl to the server; a master key generation process to yield a value MK using a specific 
calculation formula with the input of the value P and the internally generated random 
number Rl and a value Y2 received from the server; and an authentication result 
verification process to yield a value VI using a specific calculation formula with the input of 
the value MK and send VI to the server, and then compare a value V2 received from the 
server with the value VI and, if they match, authenticate the server. 

The essence of the present invention relates to an authentication program that runs 
on the server of an authentication system for mutual authentication between a terminal 
and the server. The program allows a computer to execute a memory process to store 
password verification data H; a mask operation process to yield a value Y2 using a specific 
calculation formula with the input of the password verification data H stored in the 
memory process and an internally generated random number R2 and send Y2 to the 
terminal; a master key generation process to yield a value MK using a specific calculation 
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formula with the input of the password verification data H and the internally generated 

random number R2 and a value Yl received from the terminal; and an authentication 

result verification process to yield a value V2 using a specific calculation formula with the 

input of the value MK, send V2 to the terminal and then compare a value 

VI received from the terminal with the value V2 and, if they match, authenticate the 

terminal. 

The essence of the present invention relates to an authentication system for mutual 
authentication between a terminal and a server. The terminal comprises of a data 
extension means that yields password verification data H for server registration and 
authentication information P' for memory 12; a memory means that stores the 
authentication information P' yielded by the data extension means and an RSA public key 
(N, e) yielded by an RSA key generation means; a concatenation means that yields a value 
W using a specific calculation formula with the input of the authentication information P' 
read from the memory means and a password entered for authentication; a mask operation 
means that yields a value Z using a specific calculation formula with the input of the value 
W, RSA public key (N, e) read from the memory means and an internally generated random 
number T, and sends Z to the server; an authentication result verification means that 
compares a value V2 received from the server with a value V2 obtained using a specific 
calculation formula with the input of the random number T and, if they match, 
authenticates the server; and a verifier generation means that yields a value VI using a 
specific calculation formula with the input of the random number T and sends VI to the 
server. The server comprises of an RSA key generation means that yields an RSA public key 
(N, e) and an RSA private key (N, d); a memory means that stores the RSA private key (N, 
d) yielded by the RSA key generation means and the password verification data H yielded 
by the data extension means; a master key generation means that yields a value T using a 
specific calculation formula with the input of the RSA private key (N, d), password 
verification data H read from the memory means and a value Z received from the terminal; 
a verifier generation means that yields a value V2 using a specific calculation formula with 
the input of the value T and sends V2 to the terminal; and an authentication result 
verification means that compares a value VI received from the terminal with a value VI 
obtained using a specific calculation formula with the input of the value T and, if they 
match, authenticates the terminal. 



5 

The essence of the present invention relates to an authentication program that runs 
on the terminal of an authentication system for mutual authentication between the 
terminal and a server. The program allows a computer to execute a data extension process 
to yield password verification data H for server registration and authentication information 
P' for memory 12 based on a password previously-determined by the user; a memory 
process to store the authentication information P* yielded in the data extension process and 
an RSA public key (N, e) generated in an RSA key generation process; a concatenation 
process to yield a value W using a specific calculation formula with the input of the 
authentication information P* stored in the memory process and a password entered for 
authentication; a mask operation process to yield a value Z using a specific calculation 
formula with the input of the value W, RSA public key (N, e) stored in the memory process 
and an internally generated random number T, and send Z to the server; an authentication 
results verification process to compare a value V2 received from the server with a value V2 
obtained using a specific calculation formula with the input of the random number T and, if 
they match, authenticate the server; and a verifier generation process to yield a value VI 
using a specific calculation formula with the input of the random number T and send VI to 
the server. 

The essence of the present invention relates to an authentication program that runs on 
the server of an authentication system for mutual authentication between a terminal and 
the server. The program allows a computer to execute an RAS key generation process to 
yield an RAS public key (N, e) and an RAS private key (N, d); a memory process to store the 
RAS private key (N, d) yielded in the RAS key generation process and password verification 
data H; a master key generation process to yield a value T using a specific calculation 
formula with the input of the RAS private key (N, d), password verification data H stored in 
the memory process and a value Z received from the terminal; a verifier generation process 
to yield a value V2 using a specific calculation formula with the input of the value T and 
send V2 to the terminal; and an authentication results verification process to compare a 
value VI received from the terminal with a value VI obtained using a specific calculation 
formula with the input of the value T and, if they match, authenticate the terminal. 

The essence of the present invention relates to a remotely -distributed storage system 
that conducts mutual authentication between a terminal and multiple servers, distributes 
terminal data to be stored, and stores them in the servers. The terminal comprises of a data 
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extension means that yields password verification data H for server registration and 
authentication information P' for memory 12 based on a password previously-determined 
by the user; a memory means that stores the authentication information P' yielded by the 
data extension means; a concatenation! means that yields a value P using a specific 
calculation formula with the input of the authentication information P' read from the 
memory means and a password entered for authentication; a mask operation means that 
yields a value Yl using a specific calculation formula with the input of the value P, an 
internally generated random number Rl and sends Yl to the server; a master key 
generation means that yields a value MK using a specific calculation formula with the 
input of the value P, an internally generated random number Rl and a value Y2 received 
from the server; an authentication result verification means that yields a value VI using a 
specific calculation formula with the input of the value MK, sends VI to the server and then 
compares a value V2 received from the server with the value VI and, if they match, 
authenticates the server; a session key generation means that generates the same number 
of session keys SK as the number of servers when the servers are authenticated; a data 
division means that divides the data to be stored and yields the same number of divided 
data as the number of authenticated servers; an encoding means that encodes both the 
respective divided data and identification information for identifying the data to be stored 
using the session keys SK shared with the storage servers, and sends them to the 
respective servers; and a data decoding means that receives the divided data from the 
respective storage servers and decodes the stored data. The servers comprises of a memory 
means that stores the password verification data H yielded by the data extension means; a 
mask operation means that yields a value Y2 using a specific calculation formula with the 
input of the password verification data H read from the memory means and an internally 
generated random number R2 and sends Y2 to the terminal; a master key generation 
means that yields a value MK using a specific calculation formula with the input of the 
password verification data H, an internally generated random number R2 and a value Yl 
received from the terminal; an authentication results verification means that yields a value 
V2 using a specific calculation formula with the input of the value MK, sends V2 to the 
terminal and then compares a value VI received from the terminal with the value V2 and, 
if they match, authenticates the terminal; a session key generation means that generates a 
session key SK when the terminal is authenticated; a data reception means that receives 
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divided data from the terminal; a data storage means that stores the divided data,' and a 
data transfer means that reads the divided data stored by the data storage means and 
sends the data to the terminal. 

The essence of the present invention relates to a remotely distributed storage 
program that runs on the terminal of a remotely -distributed storage system and conducts 
mutual authentication between the terminal and multiple servers, distributes terminal 
data to be stored, and stores them in the servers. The program allows a computer to execute 
a data extension process to yield password verification data H for server registration and 
authentication information P* for memory 12 based on a password previously- determined 
by the user; a memory process to store the authentication information P* yielded by the data 
extension means; a concatenation process to yield a value P using a specific calculation 
formula with the input of the authentication information P' read from the memory process 
and a password entered for authentication," a mask operation process to yield a value Yl 
using a specific calculation formula with the input of the value P and an internally 
generated random number Rl, and send Yl to the server; a master key generation process 
to yield a value MK using a specific calculation formula with the input of the value P, 
internally generated random number Rl and a value Y2 received from the server; an 
authentication results verification process to yield a value VI using a specific calculation 
formula with the input of the value MK, send VI to the server and then compare a value V2 
received from the server with the value VI and, if they match, authenticate the server; a 
session key generation process to generate the same number of session keys SK as the 
number of servers when the servers are authenticated; a data division process to divide the 
data to be stored and yield the same number of divided data as the number of 
authenticated servers; a data encoding process to encode both the respective divided data 
and identification information for identifying the data to be stored using the session keys 
SK shared with the storage servers and send them to the respective servers; and a data 
decoding process to receive the divided data from the respective storage servers and decode 
the stored data. 

The essence of the present invention relates to a remotely-distributed storage program 
that runs on the server of a remotely -distributed storage system and conducts mutual 
authentication between a terminal and multiple servers, distributes terminal data to be 
stored, and stores it in the servers. The program allows a computer to execute a memory 
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process to store password verification data H yielded in a data extension process; a mask 
operation process to yield a value Y2 using a specific calculation formula with the input of 
the password verification data H read from the memory process and an internally 
generated random number R2, and send Y2 to the terminal; a master key generation 
process to yield a value MK using a specific calculation formula with the input of the 
password verification data H, an internally generated random number R2 and a value Yl 
received from the terminal; an authentication result verification process to yield a value V2 
using a specific calculation formula with the input of the value MK, send V2 to the terminal 
and then compare a value VI received from the terminal with the value V2 and, if they 
match, authenticate the terminal; a session key generation process to generate a session 
key when the terminal is authenticated; a data reception process to receive the divided data 
from the terminal; a data storage process to store the divided data; and a data transfer 
process to read the divided data stored in the data storage process and send the data to the 
terminal. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram showing the configuration of a terminal as an embodiment of 
the present invention. 

Fig.2 is a block diagram showing the configuration of the data extender 11 in Fig.l. 

Fig.3 is a block diagram showing the configuration of the data extender 11 in Fig.l. 

Fig.4 is a block diagram showing the configuration of the data extender 11 in Fig.l. 

Fig. 5 is a block diagram showing the configuration of a mutual authentication and key 
exchange unit. 

Fig.6 is a block diagram showing the configuration of the terminal 1 in Fig. 5. 

Fig.7 is a block diagram showing the configuration of the server 2 in Fig.5. 

Fig.8 is a block diagram showing the configuration of the data extender 11 in Fig.l. 

Fig.9 is a block diagram showing the configuration of the terminal 1 for password 
verification data update — 1. 

Fig. 10 is a block diagram showing the configuration of the server 2 for password 
verification data update — 1. 

Fig. 11 is a block diagram showing the configuration of the terminal 1 for password 
verification data update - 2. 
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Fig. 12 is a block diagram showing the configuration of the server 2 for password 
verification data update — 2. 

Fig. 13 is a block diagram showing the configuration of the data extender 11 in Fig.l. 

Fig. 14 is a block diagram showing the configuration of the data extender 11 in Fig.l. 

Fig. 15 is a block diagram showing the configuration of the server 2 for initialization 
processing through secure communications. 

Fig. 16 is a block diagram showing the configuration of the terminal 1 and the server 2 
for initialization processing through insecure communications. 

Fig. 17 is a block diagram showing the configuration of the terminal 1 in Fig.5. 

Fig. 18 is a block diagram show the configuration of the server 2 in Fig.5. 

Fig. 19 is a block diagram showing the configuration of the terminal 1 for update 
processing using a master key. 

Fig.20 is a block diagram showing the configuration of the server 2 for update 
processing using a master key. 

Fig.21 is a block diagram showing the configuration of a remotely-distributed storage 
unit 5 when distributed data is not stored in the terminal. 

Fig.22 is a block diagram showing the configuration of the data divider 51 in Fig.21. 

Fig.23 is a block diagram showing the configuration of a remotely- distributed storage 
unit 5 when data is not stored in the terminal. 

Fig.24 is a block diagram showing the configuration of the data decoder 54 in Fig.23. 

Fig.25 is a block diagram showing the configuration of a remotely- distributed storage 
unit 5 when distributed data is also stored in the terminal. 

Fig.26 is a block diagram showing the configuration of the data divider 51 in Fig.25. 

Fig.27 is a block diagram showing the configuration of a remotely-distributed storage 
unit 5 when data is also stored in the terminal. 

Fig.28 is a block diagram showing the configuration of the data decoder 54 in Fig.27. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

<Embodiment 1> 

Hereinafter, preferred embodiments of the present invention are described along with 
reference to the drawings. However, the present invention is not restricted to the following 
embodiments. For example, components of the following embodiments can be combined in 
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an appropriate way for another embodiment. 

The authentication system to be described here is a system that allows a user terminal 
and an authentication server to authenticate mutually and share the same session key at 
the same time. 

Here are symbols to be used in the explanation. 

The letters p and q are prime numbers, satisfying the relationship ofq I p - 1, q I p — 1 
means that q is a divisor of p — 1. The letters g and h are generators of a finite field (group) 
G = {gi mod p • 0 < j < q} with order q over modulus p (which can be constructed in the same 
way over an elliptic curve group). Here, "gj mod p" is a modulus exponential operation in 
which g is raised to j and divided by p to yield a remainder. Here, g satisfies (l < g < p — 1, g^ 
= 1 mod p, gj * 1 mod p (0 < j < q)) and h satisfies h = g a mod p. In other words, p and q 
represent an operation system (characteristics of the prime field). For example, x is a secret 
information in H = h x mod p (0 < x < q) (in other words, if h and H are given, it is 
mathematically difficult to compute x = logh H>* the discrete logarithm problem for a 
generator h of H). A random number generator chooses randomly a number R e (Z / qZ)* 
where (Z / qZ)* is a set {l, 2, q}. N is the length of a password. I I means that the values 
are concatenated (concatenation). 

<Terminal initialization> 

When a user wants to register to a server, the user initializes his/her own terminal. 
Fig.l is a block diagram showing the configuration of the initialization process of a user 
terminal. In the initialization, when the user enters a password a data extender 11 
generates password verification data H for server registration and a value P' for memory 12. 
The password verification data H is sent to the server and the value P* is stored in memory 
12. The data extender 11 can be constructed by a polynomial equation, a polynomial 
equation and a hash function, a hash function, or a pseudo random number generator. 

(l) Use of polynomial equation (l) 

First, use of a polynomial equation (l) is described with reference to Fig.2. 

First, a polynomial equation generator 111 randomly generates a polynomial equation. 
Here, the polynomial equation generator 111 generates a polynomial equation of degree one 
with a variable x (p' (x) = ai * x mod q) when there is one server for registeration and a 
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polynomial equation of degree n (p* (x) = ai • x + <X2 * x 2 + . . . + ct n • x n mod q) when there 
are n servers, a is randomly selected from (Z / qZ)*. For example, p' (x) becomes p' (x) = ai * x 
mod q when there is one server. Then, the user enters a password (for example "Pooh93") 
remembered in the brain. When receiving the polynomial equation and the user password, 
password verification data generator 112 generates password verification data H. The 
password verification data H can be calculated for example asH = hp' (1) + ^oh93 mo d p where 
p' (l) is the resultant value from the calculation of p' (x) with x being replaced by the server 
ID (for example "1"). The password verification data H needs to be sent to the server in a 
secure manner where the user gives it to the server administrator directly, by mail, or by 
telephone. The polynomial equation P' = p' (x) generated by the polynomial equation 
generator is stored in the memory 12 inside a user terminal. 

(2) Use of polynomial equation (2) 

Next, use of polynomial equation (2) is described hereinafter with reference to Fig.2. 

First, the polynomial equation generator 111 randomly generates a polynomial equation. 
Here, the polynomial equation generator 111 generates a polynomial equation of degree one 
with a variable x (p' (x) = ai • x mod q) when there is one server for registeration and a 
polynomial equation of degree n (p' (x) = ai ■ x + ot2 • x 2 + ... + a n • x n mod q) when there are n 
servers, a is randomly selected from (Z / qZ)*. For example, p' (x) becomes p* (x) = ai • x mod 
q when there is one server. Then, the user enters a password (for example "Pooh93") 
remembered in the brain. When receiving the polynomial equation and the user password, 
the password verification data generator 112 generates password verification data H. The 
password verification data H can be calculated for example as H = p (l) = p' (l) + Pooh93 
mod q where p* (l) is the resultant value from the calculation of p* (x) with x being replaced 
by the server ID (for example "1"). The password verification data H needs to be sent to the 
server in a secure manner where the user gives it to the server administrator directly, by 
mail, or by telephone. The polynomial equation P* = p' (x) generated by the polynomial 
equation generator is stored in the memory 12 inside a user terminal. 

(3) Use of polynomial equation and hash function (l) 

Next, use of polynomial equation and hash function (l) is described hereinafter with 
reference to Fig.8. 
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First, a polynomial equation generator 119 randomly generates a polynomial 
equation. Here, the polynomial equation generator 119 generates a polynomial equation 
of degree one with a variable x (p* (x) = cti ■ x mod N) when there is one server for 
registration and a polynomial equation of degree n (p* (x) = cti • x + 0:2 • x 2 + . . . + a n * x n mod 
N) when there are n servers, a is randomly selected from (Z / qZ)*. For example, p' (x) 
becomes p* (x) = cti • x mod N when there is one server. Subsequently, a hash function 
generator 120 randomly generates a hash function HASH. The HASH is a one-way hash 
function. Then, the user enters a password (for example "Pooh93") remembered in the brain. 
When receiving the polynomial equation, the hash function and the user password, the 
password verification data generator 121 generates password verification data H. The 
password verification data H can be calculated for example as H = hp (1) mod p where p (l) is 
the resultant value by p (l) = p' (l) + HASH (Pooh93 I I ID (U) I I ID (S)) mod N. Here, ID 
(U) and ID (S) represent a user ID and a server ID, respectively, p* (l) is calculated from p' 
(x) with x being replaced by "1." 

For example, if there are n servers for registeration, the password verification data 
generator 121 generates password verification data H for the i-th server. The password 
verification data H can be calculated for example as H = hp (i) mod p where p (0 is the 
resultant value by p (i) = p' (i) + HASH (Pooh93 ) I I ID (U) I I ID (S)) mod N. Here, ID (U) 
and ID (S) represent a user ID and an i-th server ID, respectively, p' (i) is calculated from 
the polynomial equation p* (x) of degree n with x being replaced by "i." 

The password verification data H needs to be sent to the server in a secure manner 
where the user gives it to the server administrator directly, by mail, or by telephone. The 
polynomial equation p' (x) generated by the polynomial equation generator and the hash 
function HASH generated by the hash function generator are stored in the memory 12 
within a user terminal together as P' = (p' (x), HASH). 

(4) Use of polynomial equation and hash function (2) 

Next, use of polynomial equation and hash function (2) is described hereinafter with 
reference to Fig.8. 

First, the polynomial equation generator 119 randomly generates a polynomial 
equation. Here, the polynomial equation generator 119 generates a polynomial equation of 
degree one with a variable x (p' (x) = ai • x mod N) when there is one server for registeration 
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and a polynomial equation of degree n (p* (x) = ai • x + 012 • x 2 + ... + otn • x n mod N) when 
there are n servers, a is randomly selected from (Z / qZ)*. For example, p* (x) becomes p' (x) 
= cti • x mod N when there is one server. Subsequently, the hash function generator 120 
randomly generates the hash function HASH. The HASH is a one-way hash function. Then, 
the user enters a password (for example "Pooh93") remembered in the brain. When 
receiving the polynomial equation, the hash function and the user password, the password 
verification data generator 121 generates password verification data H. The password 
verification data H can be calculated for example as H = p (l) = p' (l) + HASH (Pooh93 I I 
ID (U) I i ID (S)) mod N. Here, ID (U) and ID (S) represent a user ID and a server ID, 
respectively, p' (l) is calculated from p' (x) with x being replaced by "1." 

For example, if there are n servers for registeration, the password verification data 
generator 121 generates password verification data H for the i-th server. The password 
verification data H can be calculated for example as H = p (i) = p' (i) + HASH (Pooh93 I I ID 
(U) I I ID (S)) mod N. Here, ID (U) and ID (S) represent a user ID and an i-th server ID, 
respectively, p' (i) is calculated from the polynomial equation p* (x) of degree n with x being 
replaced by "L" 

The password verification data H needs to be sent to the server in a secure manner 
where the user gives it to the server administrator directly, by mail, or by telephone. The 
polynomial equation p* (x) generated by the polynomial equation generator and the hash 
function HASH generated by the hash function generator are stored in the memory 12 
within a user terminal together as P* = (p* (x), HASH). 

(5) Use of hash function (l) 

Next, use of hash function (l) is described hereinafter with reference to Fig. 3. 

First, a hash function generator 113 randomly generates a hash function HASH. 
Subsequently, a secret value generator 114 randomly generates a secret value S. The user 
enters a password (for example "Pooh93") remembered in the brain. When receiving the 
hash function, the secret value S, and the user password, the password verification data 
generator 115 generates password verification data H. The password verification data H 
can be calculated for example as H = h 11 ^ 1 * <s 1 1 Pooh93i iid (u) i i id <s)) mo( j p . Here, ID (U) and 
ID (S) represent a user ID and a server ID, respectively. The password verification data H 
needs to be sent to the server in a secure manner where the user gives it to the server 
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administrator directly, by mail, or by telephone. The hash function HASH and the secret 
value S generated by hash function generator 113 and secret value generator 114 are stored 
in the memory 12 within a user terminal together as P* = (S, HASH). 

(6) Use of hash function (2) 

Next, use of hash function (2) is described hereinafter with reference to Fig.3. 

First, the hash function generator 113 randomly generates a hash function HASH. 
Subsequently, the secret value generator 114 randomly generates a secret value S. Then, 
the user enters a password (for example "Pooh93") remembered in the brain. When 
receiving the hash function, the secret value S and user password, the password 
verification data generator 115 generates password verification data H. The password 
verification data H can be calculated for example as H = HASH (S | | Pooh93 1 I ID (U) i | 
ID (S)) mod q. Here, ID (U) and ID (S) represent a user ID and a server ID, respectively. 
The password verification data H needs to be sent to the server in a secure manner where 
the user gives it to the server administrator directly, by mail, or by telephone. The hash 
function HASH and the secret value S generated by hash function generator 113 and secret 
value generator 114 are stored in the memory 12 within a user terminal together as P* = (S, 
HASH). 

(7) Use of pseudo random number generator (l) 

Next, use of pseudo random number generator (l) is described hereinafter with 
reference to Fig.4. 

First, a pseudo random number generator 116 randomly generates a pseudo random 
number function PRNG. Subsequently, a secret value generator 117 randomly generates a 
secret value S. Then, the user enters a password (for example "Pooh93") remembered in the 
brain. When receiving the pseudo random number function PRNG, the secret value S and 
the user password, the password verification data generator 118 generates password 
verification data H. The password verification data H can be calculated for example as H = 
hPRNG (s 1 1 Poohsai i id (u) 1 1 id (s)) moc i p. Here, ID (U) and ID (S) represent a user ID and a 
server ID, respectively. The password verification data H needs to be sent to the server in a 
secure manner where the user gives it to the server administrator directly, by mail, or by 
telephone. The pseudo random number function PRNG and the secret value S generated by 
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pseudo random number generator 116 and secret value generator 117 are stored in the 
memory 12 within a user terminal together as F = (S, PRNG). 

(8) Use of pseudo random number generator (2) 

Next, use of pseudo random number generator (2) is described hereinafter with 
reference to Fig. 4. 

First, the pseudo random number generator 116 randomly generates a pseudo random 
number function PRNG. Subsequently, the secret value generator 117 randomly generates 
a secret value S. Then, the user enters a password (for example "Pooh93") remembered in 
the brain. When receiving the pseudo random number function PRNG, the secret value S 
and the user password, the password verification data generator 118 generates password 
verification data H. The password verification data H can be calculated for example as H = 
PRNG (S | I Pooh93 | | ID (U) | | ID (S)) mod q. Here, ID (U) and ID (S) represent a user ID 
and a server ID, respectively. The password verification data H needs to be sent to the 
server in a secure manner where the user gives it to the server administrator directly, by 
mail, or by telephone. The pseudo random number function PRNG and the secret value S 
generated by pseudo random number generator 116 and secret value generator 117 are 
stored in the memory 12 within a user terminal together as P' = (S, PRNG). 

Hereinafter, mutual authentication and key exchange operations between the terminal 
1 initialized as above and a server 2 (see Fig. 5) are described with reference to Figs. 6 and 
7. 

<Terminal operation> 

(l) Use of polynomial equation (l and 2) 

First, operation of the terminal 1 when initialized using polynomial equation is 
described. The terminal 1 operates as follows regardless of using a polynomial equation (l) 
or a polynomial equation (2) described above. 

First, a polynomial equation P' = p* (x) stored in the memory 12 within a user terminal 1 
is read. A concatenator 32 calculates and outputs P = p (x) using the polynomial equation P* 
read from the memory 12 and a password entered by the user. For example, the 
concatenator 32 calculates p (x) = p' (x) + Pooh93 = ai • x + Pooh93 mod q. A mask operator 
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34 calculates Yi = g R1 • h'P (1) mod p using P received from the concatenator 32 and a 
random number Ri generated by a random number generator 33. Here, p (l) is calculated 
as p (1) = p' (1) + Pooh93 = ai • 1 + Pooh93 mod q. Here, "1" represents the server ID. A 
communication processing part 35 sends Yi to the server 2 and receives Y2 from the server 
2. When receiving P from the concatenator 32, Ri from the random number generator 33 
and the received Y2, a master key generator 36 calculates and outputs MK = (Y2 • h*p (1) ) R1 
mod p. 

Subsequently, with the input of MK an authentication results verification part 37 
calculates Vi = HASH (00 I I Yi I I Y2 I I MK), sends Vi to the server 2 via the 
communication processing part 35, and compares V2 received from the server 2 with HASH 
(01 I I Yi I I Y2 I I MK). Here, the HASH is a one-way hash function and a MAC (Message 
Authentication Code) can be used instead of HASH. 

If V 2 and HASH (01 I | Yi I I Y 2 I I MK) do not match, the authentication results 
verification part 37 informs an error generator 38 that there is no match. As the response, 
the error generator 38 generates an error and terminates the process. On the other hand, if 
V2 and HASH (01 I I Yi | | Y2 I I MK) match, the authentication results verification part 
37 authenticates the server 2 as a legitimate unit and a session key generator 39 generates 
a session key SK = HASH (11 | | Yi I I Y 2 I I MK). 

(2) Use of polynomial equation and hash function (l and 2) 

Next, operation of the terminal 1 when initialized using polynomial equation and hash 
function is described hereinafter. The terminal 1 operates as follows regardless of using a 
polynomial equation and a hash function (l) or a polynomial equation and a hash function 
(2) described above. 

First, a polynomial equation and a hash function P' = (p' (x), HASH) stored in the 
memory 12 within a user terminal 1 is read. The concatenator 32 calculates and outputs P 
= p(x) using the polynomial equation p' (x) and hash function HASH read from the memory 
12 and a password entered by the user. For example, the concatenator 32 calculates p (x) = 
p' (x) + HASH (Pooh93 I I ID (U) I I ID (S)) = ai • x + HASH (Pooh93 | I ID (U) I I ID (S)) 
mod N when p' (x) is a polynomial equation of degree one. The mask operator 34 calculates 
Yi = gRi . h*P (1) mod p using P received from the concatenator 32 and a random number Ri 
generated by the random number generator 33. Here, p (l) = p' (l) + HASH (Pooh93 I I ID 
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(U) I | ID (S)) = cxi • 1 + HASH (Pooh93 I I ID (U) I I ID (S)) mod N. p' (1) is calculated 
from p' (x) with x being replaced by "1." The communication processing part 35 sends Yi to 
the server 2 and receives Y2 from the server 2. When receiving P from the concatenator 32, 
Ri from the random number generator 33, and the received Y2, the master key generator 36 
calculates and outputs MK = (Y2 • h'P (1 >) R1 mod p. 

When the polynomial equation p' (x) read from the memory 12 within a user terminal 1 
is a polynomial equation of degree n, the concatenator 32 calculates and outputs P = p (x) 
using the polynomial equation p* (x) and hash function HASH and a password entered by 
the user. For example, the concatenator 32 calculates p (x) = p' (x) + HASH (Pooh93 I I ID 
(U) I I ID (S)) mod N. The mask operator 34 calculates Yi = g R1 • h"P (i) mod p using P 
received from the concatenator 32 and a random number Ri generated by the random 
number generator 33. Here, p (i) = p' (i) + HASH (Pooh93 | | ID (U) | | ID (S)) mod N. p' (0 
is calculated from p' (x) with x being replaced by "i" for the i-th server. The communication 
processing part 35 sends Yi to the server 2 and receives Y2 from the server 2. When 
receiving P from the concatenator 32, Ri from the random number generator 33, and the 
received Y2, the master key generator 36 calculates and outputs MK = (Y2 • h"P (i) ) R1 mod p. 

Subsequently, with the input of MK the authentication result verification part 37 
calculates Vi = HASH (00 1 | Yi | | Y2 II MK), sends Vi to the server 2 via the 
communication processing part 35, and compares V2 received from the server 2 with HASH 
(01 I I Yi I I Y2 I I MK). Here, the HASH is a one-way hash function and a MAC (Message 
Authentication Code) can be used instead of HASH. 

If V 2 and HASH (01 I I Yi I I Y2 I I MK) do not match, the authentication result 
verification part 37 informs the error generator 38 that there is no match. As the response, 
the error generator 38 generates an error and terminates the process. On the other hand, if 
V2 and HASH (01 I I Yi I I Y2 I I MK) match, the authentication results verification part 
37 authenticates the server 2 as a legitimate unit and the session key generator 39 
generates a session key SK = HASH (11 I I Yi I I Y 2 I I MK). 

(3) Use of hash function (l and 2) 

Next, operation of the terminal 1 when initialized using hash function is described 
hereinafter. The terminal 1 operates as follows regardless of using a hash function (l) or a 
hash function (2) described above. 
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First, a secret value and a hash function P' = (S, HASH) stored in the memory 12 
within a user terminal 1 is read. The concatenator 32 calculates and outputs P = p using 
the secret value S and hash function HASH read from the memory 12 and a password 
entered by the user. For example, the concatenator 32 calculates p = HASH (S I I Pooh93 
I I ID (U) | | ID (S)) mod q. The mask operator 34 calculates Yi = g R1 - h p mod p using P 
received from the concatenator 32 and a random number Ri generated by the random 
number generator 33. The communication processing part 35 sends Yi to the server 2 and 
receives Y2 from the server 2. When receiving P from the concatenator 32, Ri from the 
random number generator 33, and the received Y2, the master key generator 36 calculates 
and outputs MK = (Y2 - h p) R1 mod p. 

Subsequently, with the input of MK the authentication result verification part 37 
calculates Vi = HASH (00 1 I Yi I I Y2 I I MK), sends Vi to the server 2 via the 
communication processing part 35, and compares V2 received from the server 2 with HASH 
(01 I I Yi I I Y2 I I MK). Here, the HASH is a one-way hash function and a MAC (Message 
Authentication Code) can be used instead of HASH. 

Then, if V 2 and HASH (01 | | Yi | | Y 2 I I MK) do not match, the authentication result 
verification part 37 informs the error generator 38 that there is no match. As the response, 
the error generator 38 generates an error and terminates the process. On the other hand, if 
V 2 and HASH (01 I I Yi I I Y 2 I I MK) match, the authentication result verification part 37 
authenticates the server 2 as a legitimate unit and the session key generator 39 generates a 
session key SK = HASH (11 | | Yi | | Y2 I I MK). 

(4) Use of pseudo random number generator (l and 2) 

Next, operation of the terminal 1 when initialized using pseudo random number 
generator is described hereinafter. The terminal 1 operates as follows regardless of using a 
pseudo random number generator (l) or a pseudo random number generator (2) described 
above. 

The operation when using a pseudo random number generator is the same as when 
using a hash function except that a pseudo random number generator RPNG is used in the 
place of the hash function HASH stored in the memory 12 within a user terminal 1. 
Therefore, a detailed explanation is omitted. 
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<Server operation> 

(1) Use of polynomial equation (l), use of polynomial equation and hash function (l), use of 
hash function (l), and use of pseudo random number generator (l) 

The server 2 operates as follows regardless of using a polynomial equation (l), a 
polynomial equation and a hash function (l), a hash function (l), or a pseudo random 
number generator (l) described above. 

A user ID and password verification data H stored in memory 41 within the server 2 are 
read. After receiving the password verification data H read from the memory 41 and a 
random number R2 generated by random number generator 42, a mask operator 43 
calculates Y2 = g R2 • H mod p. A communication processin part 44 sends Y2 obtained in the 
calculation to the terminal 1, receives Yi from the terminal 1 and outputs Yi to a master 
key generator 45. After receiving the password verification data H read from the memory 
41, R2 from the random number generator 42, and Yi from the communication processing 
part 44, the master key generator 45 calculates and outputs MK = (Yi • H) R2 mod p. 

Subsequently, with the input of MK an authentication result verification part 46 
calculates V2 = HASH (01 1 | Yi I | Y 2 I I MK), sends V2 to the terminal 1 via the 
communication processing part 44, and compares Vi received from the terminal 1 with 
HASH (00 I I Yi I I Y2 I I MK). In this instance, the HASH is a one-way hash function and 
a MAC (Message Authentication Code) can be used instead of HASH. 

If Vi and HASH (00 I I Yi I I Y2 I I MK) do not match, the authentication result 
verification part 46 informs the error generator 47 that there is no match. As the response, 
the error generator 47 generates an error and terminates the process. On the other hand, if 
Vi and HASH (00 I I Yi | | Y2 I I MK) match, the authentication result verification part 46 
authenticates the terminal 1 as a legitimate unit and a session key generator 48 generates 
a session key SK = HASH (11 | | Yi I | Y2 I I MK). 

(2) Use of polynomial equation (2), use of polynomial equation and hash function (2), use of 
hash function (2), and use of pseudo random number generator (2) 

The server 2 operates as follows regardless of using a polynomial equation (2), a 
polynomial equation and a hash function (2), a hash function (2), or a pseudo random 
number generator (2) described above. 

A user ID and a password verification data H stored in memory 41 within the server 2 
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are read. After receiving the password verification data H read from the memory 41 and 
a random number R2 generated by the random number generator 42, the mask operator 43 
calculates Y2 = g* 12 • h H mod p. The communication processing part 44 sends Y2 obtained in 
the calculation to the terminal 1, receives Yi from the terminal 1 and outputs Yi to the 
master key generator 45. After receiving the password verification data H read from the 
memory 41, R2 from the random number generator 42, and Yi from the communication 
processing part 44, the master key generator 45 calculates and outputs MK = (Yi ♦ h H ) R2 
mod p. 

Subsequently, with the input of MK the authentication results verification part 46 
calculates V 2 = HASH (01 1 I Yi | | Y2 I I MK), sends V 2 to the terminal 1 via the 
communication processing part 44, and compares Vi received from the terminal 1 with 
HASH (00 I I Yi I I Y2 I I MK). In this instance, the HASH is a one-way hash function and 
a MAC (Message Authentication Code) can be used instead of HASH. 

Then, if Vi and HASH (00 I I Yi | | Y2 I I MK) do not match, the authentication result 
verification part 46 informs the error generator 47 that there is no match. As the response, 
the error generator 47 generates an error and terminates the process. On the other hand, if 
Vi and HASH (00 I I Yi I I Y2 I I MK) match, the authentication result verification part 46 
authenticates the terminal 1 as a legitimate unit and the session key generator 48 
generates the session key SK = HASH (11 | | Yi I I Y 2 I I MK). 



<Password verification data update — 1> 

When a user wants to update the password verification data already registered to a 
server without changing the password, the user updates his own terminal. Fig.9 is a block 
diagram showing the configuration of the user terminal update process. In the update 
process, after receiving a polynomial equation T* from a polynomial equation generator 13 
and a polynomial equation P' stored in the memory 12 within the user terminal 1, an 
update value generator 14 generates the value H* for server update and updated polynomial 
equation P' for memory 12 where H* is sent to the server and the updated polynomial 
equation P* is stored in memory 12. The update process is applicable to the use of 
polynomial equation (l), polynomial equation (2), polynomial equation and hash function 
(l), and polynomial equation and hash function (2) described above. 
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<Terminal update process> 

(1) Use of polynomial equation (l) 

First, update process of the terminal 1 when initialized using polynomial equation (l) is 
described hereinafter, with reference to Fig.9. 

First, the polynomial equation generator 13 randomly generates a polynomial equation. 
In this instance, the polynomial equation generator 13 generates a polynomial equation of 
degree one with a variable x (t* (x) = Pi • x mod q) when there is one registered server and 
polynomial equation of degree n it* (x) = Pi - x + p2 • x 2 + ... + p n • x n mod q) when there are n 
servers, p is randomly selected from (Z / qZ)*. For example, T becomes T' = t* (x) = pi • x mod 
q when there is one server. Then, the polynomial equation P' = p' (x) stored in the memory 
12 within user terminal 1 is read. After receiving the polynomial equations t' (x) and p' (x), 
the update value generator 14 generates the updated polynomial equation P' for memory 12 
and the value H' for server update. The updated polynomial equation P' can be calculated 
for example as P = t' (x) + p' (x) = (ai + pi) • x mod q. The value fT for server update can be 
calculated for example as IT = h t (1 > mod p. In this instance, t' (l) is the resultant value from 
t* (x) with x being replaced by the server ID (for example "1"). The value IT for server update 
needs to be sent to the server in a secure manner where the user gives it to the server 
administrator directly, by mail, or by telephone. The updated polynomial equation P' = t' (x) 
+ p* (x) is stored in memory 12 within the user terminal. 

(2) Use of polynomial equation (2) 

Next, update process of the terminal 1 when initialized using polynomial equation (l) is 
described hereinafter with reference to Fig.9. 

First, the polynomial equation generator 13 randomly generates a polynomial equation. 
In this instance, the polynomial equation generator 13 generates a polynomial equation of 
degree one with a variable x (t* (x) = pi • x mod q) when there is one registered server and 
polynomial equation of degree n (t* (x) = pi • x + P2 • x 2 + ... + p n • x n mod q) when there are n 
servers, p is randomly selected from (Z / qZ)*. For example, T' becomes T' = t' (x) = Pi • x mod 
q when there is one server. Then, the polynomial equation P' = p' (x) stored in the memory 
12 within user terminal 1 is read. After receiving the polynomial equations t' (x) and p* (x), 
the update value generator 14 generates an updated polynomial equation P' for memory 12 
and a value H' for server update. The updated polynomial equation P' can be calculated, for 
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example by P' = t' (x) + p' (x) = (ai + Pi) . x mod q. The value H' for server update can be 
calculated for example by H* = t' (l) mod q. In this instance, t' (l) is the resultant value from 
t* (x) with x being replaced by the server ID (for example "1"). The value H' for server update 
needs to be sent to the server in a secure manner where the user gives it to the server 
administrator directly, by mail, or by telephone. The updated polynomial equation P' = t' (x) 
+ p' (x) is stored in the memory 12 within the user terminal. 

(3) Use of polynomial equation and hash function (l) 

Next, update process of the terminal 1 when initialized using polynomial equation and 
hash function (l) is described hereinafter with reference to Fig. 9. 

First, the polynomial equation generator 13 randomly generates a polynomial equation. 
In this instance, the polynomial equation generator 13 generates a polynomial equation of 
degree one with a variable x (t* (x) = Pi • x mod N) when there is one registered server and a 
polynomial equation of degree n (tf (x) = pi ♦ x + P2 ♦ x 2 + ... + p n • x n mod N) when there are n 
servers. P is randomly selected from (Z / qZ)*. For example, T' becomes T* = t' (x) = Pi • x mod 
N when there is one server. Then, the polynomial equation and hash function P' = (p' (x), 
HASH) stored in the memory 12 within user terminal 1 is read. After receiving the 
polynomial equations t' (x) and p' (x), the update value generator 14 generates an updated 
polynomial equation F for memory 12 and a value H' for server update. The updated 
polynomial equation P' can be calculated for example as P' = t' (x) + p* (x) = (ai + Pi) • x mod 
N and the value H' for server update can be calculated for example as H* = h t (1) mod p. In 
this instance, t' (l) is the resultant value from t' (x) with x being replaced by "1." 

For example, if there are n registered servers, the update value generator 14 generates 
a value H' for the i-th server update. The value H* for server update can be calculated for 
example as H' = h*' (i) mod p. In this instance, t' (i) is the resultant value from the polynomial 
equation t' (x) of degree n with x being replaced by "i." 

The value H* for server update needs to be sent to the server in a secure manner where 
the user gives it to the server administrator directly, by mail, or by telephone. The updated 
polynomial equation P' = t' (x) + p' (x) and hash function HASH read from the memory 12 
are stored in the memory 12 within the user terminal together as P' = (t' (x) + p* (x), HASH). 

(4) Use of polynomial equation and hash function (2) 
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Next, update process of the terminal 1 when initialized using polynomial equation 
and hash function (2) is described hereinafter with reference to Fig. 9. 

First, the polynomial equation generator 13 randomly generates a polynomial equation. 
In this instance, the polynomial equation generator 13 generates a polynomial equation of 
degree one with a variable x (t* (x) = Pi * x mod N) when there is one registered server and 
polynomial equation of degree n (t* (x) = Pi • x + 02 • x 2 + ... + p n • x n mod N) when there are n 
servers. P is randomly selected from (Z / qZ)*. For example, T becomes T = t* (x) = Pi • x mod 
N when there is one server. Then, the polynomial equation and hash function P' = (p* (x), 
HASH) stored in the memory 12 within user terminal 1 is read. After receiving the 
polynomial equations t* (x) and p' (x), the update value generator 14 generates an updated 
polynomial equation P' for memory 12 and a value H' for server update. The updated 
polynomial equation P* can be calculated for example as P* = t' (x) + p' (x) = (oti + Pi) • x mod 
N and the value H' for server update can be calculated for example as H' = t' (l) mod N. In 
this instance, t' (l) is the resultant value from t' (x) with x being replaced by "1." 

For example, if there are n registered servers, the update value generator 14 generates 
a value H' for the rth server update. The value H' for server update can be calculated for 
example as H* = t* (0 mod N. In this instance, t' (0 is the resultant value from the 
polynomial equation t' (x) of degree n with x being replaced by "i." 

The value H' for server update needs to be sent to the server in a secure manner where 
the user gives it to the server administrator directly, by mail, or by telephone. The updated 
polynomial equation P* = t' (x) + p' (x) and hash function HASH read from the memory 12 
are stored in the memory 12 within the user terminal together as P* = (t* (x) + p' (x), HASH). 

<Server update process> 

(l) Use of polynomial equation (l) and use of polynomial equation and hash function (l) 

First, update process of the server 2 when initialized using polynomial equation (l) and 
when initialized using polynomial equation and hash function (l) is described hereinafter 
with reference to Fig. 10. The server 2 operates as follows regardless of using a polynomial 
equation (l) or a polynomial equation and a hash function (l) described above. 

First, the user ID and password verification data H stored in the memory 41 within the 
server 2 are read. After receiving a value H' for server update sent from a user terminal and 
the password verification data H read from the memory 41, an update value generator 21 
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generates an updated password verification data H for server storage. The updated 
password verification data H can be calculated for example as H = hp (1) • h*' (1 > = h p (1) + fc ' (1) 
mod p. The updated password verification data H is stored in the server memory 41. 

(2) Use of polynomial equation (2) 

Next, update process of the server 2 when initialized using polynomial equation (2) is 
described hereinafter with reference to Fig. 10. 

First, the user ID and password verification data H stored in the memory 41 within the 
server 2 are read. After receiving a value H* for server update sent from a user terminal and 
the password verification data H read from the memory 41, the update value generator 21 
generates an updated password verification data H for server storage. The updated 
password verification data H can be calculated for example as H = p (l) + t' (l) mod q, and 
the updated password verification data H is stored in the memory 41 of the server 2. 

(3) Use of polynomial equation and hash function (2) 

Next, update process of the server 2 when initialized using polynomial equation and 
hash function (2) is described hereinafter with reference to Fig. 10. 

First, the user ID and password verification data H stored in the memory 41 within the 
server 2 are read. After receiving a value H' for server update sent from a user terminal and 
the password verification data H read from the memory 41, the update value generator 21 
generates an updated password verification data H for server storage. The updated 
password verification data H can be calculated for example as H = p (l) + t' (l) mod N, and 
the updated password verification data H is stored in the memory 41 of the server 2. 

<Password verification data update - 2> 

When a user wants to update the password verification data already registered to a 
server together with changing the password, the user updates his own terminal. Fig. 11 is a 
block diagram showing the configuration of the update process of a user terminal. In the 
update process, after receiving a secret value S' from a secret value generator 15, a new 
password PW from the user and P' stored in the memory 12 within user terminal 1, a 
password verification data updater 16 generates a password verification data H* for server 
update and an updated P* for memory 12 where H' is sent to the server 2 and the updated P* 
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is stored in the memory 12. The update process is applicable to the use of hash function 
(l), hash function (2), pseudo random number generator (l) and pseudo random number 
generator (2) described above. In the same way, the use of polynomial equation (l), 
polynomial equation (2), polynomial equation and hash function (l), and polynomial 
equation and hash function (2) described above can be applied by following a similar 
operation of each initialization process. Therefore, these explanations are omitted here. 

<Terminal update process> 

(1) Use of hash function (l) 

First, update process of the terminal 1 when initialized using hash function (l) is 
described with reference to Fig. 11. 

First, the secret value generator 15 randomly generates a secret value S\ Then, P* = (S, 
HASH) stored in the memory 12 within user terminal 1 is read. After receiving a new 
password (PW) remembered in the brain and the hash function HASH and secret value S', 
the password verification data updater 16 generates an updated P* for memory 12 and a 
password verification data H' for server update. The password verification data H' for 
server update can be calculated for example as H' = h 11 ^ < s ' I " pw 'i in>(u>i iid(s» moc i p . i n tn is 
instance, ID (U) and ID (S) represent a user ID and a server ID, respectively. The password 
verification data H' for server update needs to be sent to the server in a secure manner in 
which the user gives it to the server administrator directly, by mail, or by telephone. The 
updated P' = (S', HASH) is stored in the memory 12 within user terminal 1. 

(2) Use of hash function (2) 

Next, update process of the terminal 1 when initialized using hash function (2) is 
described hereinafter with reference to Fig. 11. 

First, the secret value generator 15 randomly generates a secret value S\ Then, P* = (S, 
HASH) stored in the memory 12 within user terminal 1 is read. After receiving a new 
password (PW) remembered in the brain and hash function HASH and secret value S\ the 
password verification data updater 16 generates an updated P' for memory 12 and a 
password verification data H' for server update. The password verification data H' for 
server update can be calculated for example as H' = HASH (S* I I PW I I ID (U) | | ID (S)) 
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mod q. In this instance, ID (U) and ID (S) represent a user ID and a server ID, 
respectively. The password verification data H' for server update needs to be sent to the 
server in a secure manner in which the user gives it to the server 2 administrator directly, 
by mail, or by telephone. The updated P' = (S', HASH) is stored in the memory 12 within 
user terminal 1. 

(3) Use of pseudo random number generator (l) and pseudo random number generator (2) 
Next, update process of the terminal 1 when initialized using pseudo random number 

generator (l) and when initialized using pseudo random number generator (2) is described 

hereinafter with reference to Fig. 11. 

The operation when initialized using pseudo random number generator (l and 2) is the 

same as that when initialized using hash function (l and 2), except that a pseudo random 

number generator PRNG is used in the place of a hash function HASH stored in the 

memory 12. Therefore, these explanations are omitted. 

<Sever update process> 

(1) Use of hash function (l), use of hash function (2), use of pseudo random number 
generator (l), and use of pseudo random number generator (2) 

First, update process of the server 2 when initialized using hash function (l), hash 
function (2), pseudo random number generator (l) and pseudo random number generator 

(2) is described with reference to Fig. 12. The server 2 operates as follows regardless of 
using a hash function (1 and 2) or a pseudo random number generator (l and 2) described 
above. 

First, the user ID and password verification data H stored in the memory 41 within the 
server 2 are read. After receiving a password verification data H' for server update sent 
from the user terminal 1 and the password verification data H read from the memory 41, 
the password verification data updater 22 updates the password verification data H to H' 
sent from the user terminal 1. The updated password verification data H = H' is stored in 
the memory 41 within the server. 



<Embodiment 2> 

Hereinafter, embodiments of the present invention using a public key cryptosystem are 
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described. However, the present invention is not restricted to the following embodiments. 
For example, components of these embodiments can be combined in an appropriate way in 
order to realize another embodiment. 

Here, some background knowledge and basic symbols to be used are explained before 
embodiments using the RSA public key cryptosystem are described. 

In a public key cryptosystem, a public key (PubK) and a private key (PriK) are used in 
pairs (PubK, PriK). The public key is not confidential and anybody can obtain the key. In 
encyption, a message m can be converted into an encrypted message C = Enc PubK (m) using 
the public key. The encrypted message can be decrypted to m = Dec PriK (C) only using the 
private key. The encrypted message cannot be decrypted using the public key. In the public 
key signature system, a message m can be signed to create a signed message (m, s) in which 
s = Sig PriK (m). For verifying the signed message, a public key is used to obtain m* = Ver PubK 
(s) and if m and m' match, the signed message (m, s) is verified. If they do not match, the 
signed message (m, s) is not verified. 

In the well-known RSA public key cryptosystem, a public key is (N, e) and a private key 
is (N, d). In this instance, N is the product of two randomly selected and large prime 
numbers p and q (namely, N = p • q), e is any lower number provided that the greatest 
common denominator of e and (p - l) • (q - 1) is 1 (for example, e = 3 or e = 2 16 + l), and d is 
e 1 mod ((p - l) • (q — 1)). For maximum security, p and q should be in the same length. The 
encryption function for a message m (m e Zn*) is Enc PubK (m) = m e mod N. The decryption 
function is Dec PriK (C) = C d mod N. It is believed to be computationally difficult to obtain a 
message m provided an encrypted message C and a public key (N, e). The security of RSA is 
based on the fact that it is difficult to factorize a large number N into prime factors. The 
signature function is Sig PriK (m) = m d mod N and the verification function is Ver PubK (s) = s e 
mod N. Generally, a cryptosystem has a security parameter that indicates the system's 
security level. Here, hash function HASH has a security parameter k (wherein it is 
assumed that l/2 k is negligibly small) and the RSA public key cryptosystem has a security 
parameter 1, wherein it is particularly assumed that the modulus N of RSA has a length of 1. 
{0, l}* is a set of a finite string of binary numbers and {0, 1} k is a set of a string of binary 
numbers having a length k. A hash function HASH is a secure one-way function having an 
input {0, 1}* and an output {0, lK A FDH (Full-Domain Hash) function is a secure one-way 
function having an input {0, l}* and an output Zn*/ (backslash) {l}. The random number 
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generator randomly generates a random number T (T e Zn*). I I means that the values 
are concatenated. 

<Terminal initialization > 

When a user wants to register to a server, the user initializes his own terminal. Fig.l is 
a block diagram showing the configuration of the initialization process of a user terminal. 
In the initialization process, the user enters a password and then a data extender 11 
generates a password verification data H for server registeration and a value P* for memory 
12. The password verification data H is sent to the server and the value P* is stored in 
memory 12. The data extender 11 can be constituted by a polynomial equation and FDH 
function or FDH function. 

(1) Use of polynomial equation and FDH function (l) 

First, use of polynomial equation and FDH function (l) is described with reference to 
Fig. 13. 

First, FDH function generator 122 randomly generates FDH function FDH. 
Subsequently, a polynomial equation generator 123 randomly generates a polynomial 
equation. In this instance, the polynomial equation generator 123 generates a polynomial 
equation of degree one with a variable x (p* (x) = ai • x mod N) when there is one server for 
registeration and a polynomial equation of degree n (p* (x) = ai • x + ct2 • x 2 + ... + a n • x n mod 
N) when there are n servers, a is randomly selected from Zn*. For example, p* (x) becomes p' 
(x) = ai • x mod N when there is one server. Then, the user enters a password (for example 
"Pooh93") remembered in the brain. After receiving the polynomial equation, FDH function, 
and the user password, a password verification data generator 124 generates a password 
verification data H. The password verification data H can be calculated for example as H = 
p (l) = p' (l) + Pooh93 mod N. In this instance, p' (l) is the resultant value from p' (x) with x 
being replaced by the server ID (for example "1"). The password verification data H needs 
to be sent to the server in a secure manner in which the user gives it to the server 
administrator directly, by mail, or by telephone. The polynomial equation p' (x) generated 
by the polynomial equation generator and the FDH function FDH generated by the FDH 
function generator are stored in memory 12 within the user terminal together as P' = (p* (x), 
FDH). 
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(2) Use of polynomial equation and FDH function (2) 

Next, use of polynomial equation and FDH function (2) is described hereinafter with 
reference to Fig. 13. 

First, the FDH function generator 122 randomly generates FDH function FDH. 
Subsequently, the polynomial equation generator 123 randomly generates a polynomial 
equation. In this instance, the polynomial equation generator 123 generates a polynomial 
equation of degree one with a variable x (p* (x) = ai • x mod N) when there is one server for 
registeration and a polynomial equation of degree n (p' (x) = cti • x + ct2 • x 2 + ... + ot n • x 11 mod 
N) when there are n servers, a is randomly selected from Zn*. For example, p' (x) becomes p* 
(x) = ai • x mod N when there is one server. Then, the user enters a password (for example 
"Pooh93") remembered in the brain. After receiving the polynomial equation, FDH function, 
and the user password, the password verification data generator 124 generates a password 
verification data H. The password verification data H can be calculated for example as H = 
p (1) = p' (1) + FDH (Pooh93 I I ID (U) I I ID (S)) mod N. In this instance, ID (U) and ID (S) 
represent a user ID and a server ID, respectively, p' (l) is the resultant value from p' (x) 
with x being replaced by "1." 

For example, if there are n servers for registeration, the password authentication data 
generator 124 generates a password verification data H for the rth server. The password 
verification data H can be calculated for example as H = p (0 = p' (i) + FDH (Pooh93 I I ID 
(U) | | ID (S)) mod N. In this instance, ID (U) and ID (S) represent a user ID and an i-th 
server ID, respectively, p* (i) is the resultant value from the polynomial equation p' (x) of 
degree n with x being replaced by "i." 

The password verification data H needs to be sent to the server in a secure manner in 
which the user gives it to the server administrator directly, by mail, or by telephone. The 
polynomial equation p' (x) generated by the polynomial equation generator and the FDH 
function FDH generated by the FDH function generator are stored in memory 12 within 
user terminal together as P' = (p' (x), FDH). 



(3) Use of FDH function 

Next, use of FDH function is described hereinafter with reference to Fig. 14. 
First, FDH function generator 125 randomly generates FDH function FDH. 
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Subsequently, a secret value generator 126 randomly generates a secret value S. In this 
instance, S has a length that prevents brute force attacks (for example, S has 80 or more 
bits). Then, the user enters a password (for example <r Pooh93") remembered in the brain. 
After receiving the FDH function, secret value S and the user password, a password 
verification data generator 127 generates a password verification data H. The password 
verification data H can be calculated for example as H = FDH (S I I Pooh93 I I ID (U) I I ID 
(S)). In this instance, ID (U) and ID (S) represent a user ID and a server ID, respectively. 
The password verification data H needs to be sent to the server in a secure manner in 
which the user gives it to the server administrator directly, by mail, or by telephone. The 
secret value S generated by the secret value generator 126 and the FDH function FDH 
generated by the FDH function generator 125 are stored in memory 12 within the user 
terminal together as P' = (S, FDH). 

initialization of the terminal and server> 

The server executes the initialization process when it wants to send an RSA public key 
to a user. The server generates a pair comprising a public key and a private key according 
to the RSA public key cryptosystem and sends the public key to the user. In this instance, 
initialization can be realized through secure communication or through insecure 
communication. When insecure communication is used, the user has to verify whether the 
received public key is a legitimate one or not. The user is provided with a method of 
verifying that the server has generated the selected public key in an appropriate and 
correct way. In other words, the RSA signature system is used to verify that the largest 
common denominator between the public key e provided by the server and (p — l) • (q — l) is 
1 (namely, gcd (e, (p - l) • (q - 1)) = 1). 

(l) Through secure communication 

First, initialization process through secure communication is described with reference 
to Fig. 15. 

First, an RSA key generator 23 generates a pair comprising a public key (N, e) and a 
private key (N, d). The RSA public key (N, e) needs to be sent to the user in a secure manner 
in which the server gives it to the user directly, by mail, or by telephone. The RSA private 
key (N, d) is stored in memory 41 within the server. 
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(2) Through insecure communication 

Next, initialization process through insecure communication is described hereinafter 
with reference to Fig. 16. 

First, a random number generator 17 of the user terminal 1 randomly generates a 
random number Ri (Ri e {0, l} k ) and sends it to the server. An RSA key generator 24 of the 
server 2 generates a pair comprising a public key (N, e) and a private key (N, d). 
Subsequently, a random number generator 25 randomly generates a random number R2 (R2 
e {0, l} k ). After receiving Rl from the terminal 1, the private key (N, d) generated by the 
RSA key generator 24 and the random number R2 generated by the random number 
generator 25, an RSA signed message generator 26 generates a signature {sj} i<j<;n for {mj} 
i<j<n (In this instance, n is an integer satisfying n > log e (PW • (e — l) / e) in which PW is a 
password). The signature {sj} i<a<;n is calculated as {sj = mj d mod N}i^ n . In this instance, {mj} 
i<p< n is obtained by dividing by n a block of the output of HASH (n I I N I I e I I ID (U) | | ID 
(S) I I Ri I I R2) having a length 1. ID (U) and ID (S) represent a user ID and a server ID, 
respectively. The server 2 sends the public key (N, e) and the signed message (R2, {sj} i^n) 
obtained in the calculation to the terminal 1. The private key (N, d) generated by the RSA 
key generator 24 is stored in memory 41 within the server 2. 

After receiving Ri generated by the random number generator 17 and ((N, e), (R2, {sj} 
l^n) sent from the server 2 , an authentication results verification part 18 of user terminal 
1 verifies the signed message ((R2, {sj} l^n). {mj} i<^ n is calculated from {mj = Sj e mod N} i<j<n 
and compared with HASH (n | I N I I e I I ID (U) I I ID (S) I I Ri I 1 R 2 ). When {mj} 1^ 
and HASH (n I I N | | e I I ID (U) I I ID (S) I I Ri | I Ra) do not match, the authentication 
results verification part 18 informs an error generator 19 that there is no match. As the 
response, the error generator 19 generates an error and terminates the process. On the 
other hand, if {mj} 1^ and HASH (n I I N I I e I I ID (U) I | ID (S) I I Ri I I R 2 ) match, the 
authentication results verification part 18 verifies that the public key (N, e) of the server 2 
as a legitimate one and the public key (N, e) is stored in memory 12 within the user 
terminal 1. 

Hereinafter, mutual authorization and key exchange operations between the terminal 1 
initialized as described above and a server 2 (see Fig. 5) are described with reference to Fig. 
17 and 18. 
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<Terminal operation> 

(l) Use of polynomial equation and FDH function (l) 

First, operation of the terminal 1 when initialized using a polynomial equation and 
FDH function (l) is described. 

First, the polynomial equation and FDH function P' = (p* (x), FDH) stored in the 
memory 12 within user terminal 1 is read. A concatenator 52 calculates and outputs W = 
FDH (p (x) I | ID (U) I I ID (S)) using the polynomial equation p' (x) and FDH function FDH 
read from the memory 12 and a password entered by the user. In this instance, p (x) = p* (x) 
+ Pooh93 mod N. For example, if p' (x) is a polynomial equation of degree one, p (x) = p (l) = 
p' (l) + Pooh93 = ai • 1 + Pooh93 mod N. p' (l) is the resultant value from p* (x) with x being 
replaced by "1." 

When the polynomial equation p* (x) read from the memory 12 within the user terminal 
1 is a polynomial equation of degree n, the concatenator 52 calculates and outputs W = 
FDH (p (x) | | ID (U) | | ID (S)) using the polynomial equation p' (x) and FDH function FDH 
and a password entered by the user. In this instance, p (x) = p' (x) + Pooh93 mod N. For 
example, p (x) = p (i) = p' (i) + Pooh93 mod N. p* (0 is the resultant value from p' (x) with x 
being replaced by "i" for the i-th server. 

A mask operator 54 calculates Z = T e * W mod N using a public key (N, e) read from the 
memory 12, W received from the concatenator 52 and a random number T (T e- Zn*) 
generated by a random number generator 53. A communication processing part 55 sends Z 
to the server 2 and receives V2 from the server 2. 

Subsequently, with the input of T from the random number generator 53 the 
authentication result verification part 56 calculates HASH (01 I I T I I ID (U) I I ID (S)) 
and compares it with V2 received from the server 2. In this instance, MAC can be used in 
the place of the hash function HASH. When V 2 and HASH (01 I I T I I ID (U) I I ID (S)) do 
not match, the authentication results verification part 56 informs an error generator 57 
that there is no match. As the response, the error generator 57 generates an error and 
terminates the process. On the other hand, if V 2 and HASH (01 | | T | | ID (U) I I ID (S)) 
match, the authentication results verification part 56 authenticates the server 2 as a 
legitimate unit and a verifier generator 58 calculates a verifier Vi = HASH (00 | | T I | ID 
(U) I I ID (S)) and sends it to the server 2. At the same time, a session key generator 59 



generates a session key SK = HASH (11 I | T I I ID (U) | | ID (S)) 
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(2) Use of polynomial equation and FDH function (2) 

Next, operation of the terminal 1 when initialized using a polynomial equation and 
FDH function (2) is described hereinafter. 

First, a polynomial equation and FDH function P' = (p* (x), FDH) stored in memory 12 
within user terminal 1 is read. The concatenator 52 calculates and outputs W = FDH (p (x) 
I I ID (U) I | ID (S)) using the polynomial equation p' (x) and FDH function FDH read from 
the memory 12 and a password entered by the user. In this instance, p (x) = p' (x) + FDH 
(Pooh93 | | ID (U) | | ID (S)) mod N. For example, if p' (x) is a polynomial equation of 
degree one, p (x) = p (l) = p' (l) + FDH (Pooh93 I I ID (U) I I ID (S)) = oti • 1 + FDH (Pooh93 
I | ID (U) | | ID (S)) mod N. p' (l) is the resultant value from p' (x) with x being replaced by 
"1." 

When the polynomial equation p' (x) read from the memory 12 within user terminal 1 is 
a polynomial equation of degree n, the concatenator 52 calculates and outputs W = FDH (p 
(x) | | ID (U) | | ID (S)) using the polynomial equation p' (x) and FDH function FDH and a 
password entered by the user. In this instance, p (x) = p' (x) + FDH (Pooh93 I I ID (U) | | ID 
(S)) mod N. For example, p (x) = p (i) = p' (0 + FDH (Pooh93 | | ID (U) I | ID (S)) mod N. p' 
(i) is the resultant value from p' (x) with x being replaced by "i" for the rth server. 

The mask operator 54 calculates Z = T e • W mod N using a public key (N, e) read from 
the memory 12, W received from the concatenator 52, and a random number T(Te Zn*) 
randomly generated by the random number generator 53. The communication processing 
part 55 sends Z to the server 2 and receives V2 from the server 2. 

Subsequently, with the input of T from the random number generator 53 the 
authentication result verification part 56 calculates HASH (01 I I T I I ID (U) I I ID (S)) 
and compares it with V2 received from server 2. In this instance, an MAC can be used in the 
place of the hash function HASH. When V 2 and HASH (01 I I T | | ID (U) I I ID (S)) do not 
match, the authentication results verification part 56 informs the error generator 57 that 
there is no match. As the response, the error generator 57 generates an error and 
terminates the process. On the other hand, if V 2 and HASH (01 I I T I I ID (U) I I ID (S)) 
match, the authentication result verification part 56 authenticates the server 2 as a 
legitimate unit and the verifier generator 58 calculates a verifier Vi = HASH (00 | | T | | ID 
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(U) | | ID (S)) and sends it to the server 2. At the same time, the session key generator 59 
generates a session key SK = HASH (11 I I T I | ID (U) I I ID (S)). 

(3) Use of FDH function 

Next, operation of the terminal 1 when initialized using a FDH function is described 
hereinafter. 

First, a secret value and FDH function P' = (S, FDH) stored in memory 12 within user 
terminal 1 is read. The concatenator 52 calculates and outputs W using the secret value 
and FDH function FDH read from the memory 12 and a password entered by the user. For 
example, W = FDH (S I I Pooh93 I | ID (U) I I ID (S)). The mask operator 54 calculates Z = 
T e • W mod N using a public key (N, e) read from the memory 12, W received from the 
concatenator 52 and a random number T(Te Zn*) randomly generated by the random 
number generator 53. The communication processing part 55 sends Z to the server 2 and 
receives V2 from the server 2. 

Subsequently, with the inout of T from the random number generator 53 the 
authentication results verification part 56 calculates HASH (01 I I T I I ID (U) | | ID (S)) 
and compares it with V2 received from the server 2. In this instance, an MAC can be used in 
the place of the hash function HASH. When V2 and HASH (01 I I T | | ID (U) I | ID (S)) do 
not match, the authentication result verification part 56 informs the error generator 57 
that there is no match. As the response, the error generator 57 generates an error and 
terminates the process. On the other hand, if V 2 and HASH (01 I I T I I ID (U) I I ID (S)) 
match, the authentication result verification part 56 authenticates the server 2 as a 
legitimate unit and the verifier generator 58 calculates a verifier Vi = HASH (00 II T I | ID 
(U) I I ID (S)) and sends it to the server 2. At the same time, the session key generator 59 
generates a session key SK = HASH (11 | | T I I ID (U) I I ID (S)). 

<Server operation> 

(l) Use of polynomial equation and FDH function (l) and use of polynomial equation and 
FDH function (2) 

The server 2 operates as follows regardless of using a polynomial equation and FDH 
function (l) or a polynomial equation and FDH function (2) described above. 

First, the user ID and password verification data H stored in memory 41 within the 
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server 2 are read. After receiving H read from the memory 41, a private key (N, d) and Z 
sent from the terminal 1, a master key generator 62 calculates and outputs T = (Z / W) d mod 
N. In this instance, W = FDH (H I I ID (U) I | ID (S)). A verifier generator 63 calculates a 
verifier V 2 = HASH (01 | | T | | ID (U) I I ID (S)) using T received from the master key 
generator 62. A communication processing part 64 sends V2 obtained in the calculation to 
the terminal 1 and outputs Vi received from the terminal 1 to authentication result 
verification part 65. 

Subsequently, with the input of T from the master key generator 62 the authentication 
results verification part 65 calculates HASH (00 I I T | I ID (U) I I ID (S)) and compares it 
with Vi received from the terminal 1. In this instance, an MAC can be used in the place of 
the hash function HASH. When Vi and HASH (00 I I T I I ID (U) I I ID (S)) do not match, 
the authentication result verification part 65 informs an error generator 66 that there is no 
match. As the response, the error generator 66 generates an error and terminates the 
process. On the other hand, if Vi and HASH (00 | I T | | ID (U) I I ID (S)) match, the 
authentication result verification part 65 authenticates the terminal 1 as a legitimate unit 
and a session key generator 67 generates a session key SK = HASH (11 I | T | | ID (U) I I 
ID (S)). 

(2) Use of FDH function 

Next, operation of the server 2 when initialized using FDH function is described 
hereinafter. 

First, the user ID and password verification data H stored in memory 41 within the 
server 2 are read. After receiving H read from the memory 41, a private key (N, d) and Z 
sent from the terminal 1, the master key generator 62 calculates T = (Z / W) d mod N. In this 
instance, W = H. The verifier generator 63 calculates a verifier V2 = HASH (01 I I T I I ID 
(U) I I ID (S)) using T received from the master key generator 62. The communication 
processing part 64 sends V2 obtained in the calculation to the terminal 1 and outputs Vi 
received from the terminal 1 to the authentication results verification part 65. 

Subsequently, with the input of T from the master key generator 62 the authentication 
results verification part 65 calculates HASH (00 I I T | | ID (U) I I ID (S)) and compares it 
with Vi received from the terminal 1. In this instance, an MAC can be used in the place of 
the hash function HASH. If Vi and HASH (00 I I T I | ID (U) I I ID (S)) do not match, the 
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authentication result verification part 65 informs the error generator 66 that there is no 
match. As the response, the error generator 66 generates an error and terminates the 
process. On the other hand, if Vi and HASH (00 I I T I I ID (U) I I ID (S)) match, the 
authentication result verification part 65 authenticates the terminal 1 as a legitimate unit 
and the session key generator 67 generates a session key SK = HASH (11 | | T I I ID (U) I I 
ID (S)). 

<Password verification data update — 1> 

When a user wants to update the password verification data already registered to a 
server, without changing the password, the user updates his own terminal. Fig. 9 and 19 
are block diagrams showing the configuration of the update process of a user terminal. The 
update process is applicable to the use of polynomial equation and FDH function (l), 
polynomial equation and FDH function (2), and master key. The update process can prevent 
replay attacks on the server as well. 

<Terminal update process> 

(l) Use of polynomial equation and FDH function (l) and use of polynomial equation and 
FDH function (2) 

First, update process of the terminal 1 when initialized using polynomial equation and 
FDH function (l) and when initialized using polynomial equation and FDH function (2) is 
described with reference to Fig.9. The terminal 1 operates as follows regardless of using a 
polynomial equation and FDH function (l) or a polynomial equation and FDH function (2) 
described above. 

First, the polynomial equation generator 13 randomly generates a polynomial equation. 
In this instance, the polynomial equation generator 13 generates a polynomial equation of 
degree one with a variable x (f (x) = pi • x mod N) when there is one registered server and a 
polynomial equation of degree n (t* (x) = Pi • x + P2 • x 2 + ... + p n • x n mod N) when there are n 
servers. P is randomly selected from Zn*. For example, T becomes T' = t* (x) = Pi • x mod N 
when there is one server. Then, a polynomial equation and FDH function P* = (p' (x), FDH) 
stored in memory 12 within user terminal 1 are read. After receiving the polynomial 
equations t' (x) and p* (x), an update value generator 14 generates an updated polynomial 
equation P' for memory 12 and a value H' for server update. The updated polynomial 
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equation P' can be calculated for example as P* = t* (x) + p* (x) = (oti + pi) • x mod N. The 
value H' for server update can be calculated for example as IT = t' (l) mod N. t' (l) is the 
resultant value from t' (x) with x being replaced by "1." 

For example, if there are n registered servers, the update value generator 14 generates 
a value H' for the i-th server update. The value IT for server update can be calculated for 
example as H' = t* (i) mod N. t' (0 is the resultant value from the polynomial equation t' (x) of 
degree n with x being replaced by "i." 

The value H' for server update needs to be sent to the server in a secure manner in 
which the user gives it to the server administrator directly, by mail, or by telephone. The 
updated polynomial equation P' = t' (x) + p* (x) and the FDH function FDH read from the 
memory 12 are stored in the memory 12 within the user terminal together as P* = (f (x) + p' 
(x), FDH). 

(2) Use of master key 

Next, update process of the terminal 1 when using a master key is described hereinafter 
with reference to Fig. 19. 

First, a random number generator 53 randomly generates a random number T (T e 
Zn*). Then, a polynomial equation and FDH function P' = (p' (x), FDH) stored in memory 12 
within the user terminal 1 are read. After receiving the random number T and polynomial 
equations p' (x), an update value generator 20 generates an updated polynomial equation P' 
for memory 12. The updated polynomial equation P' can be calculated for example as P' = T 
+ p' (x) mod N. The updated polynomial equation F = T + p' (x) and the FDH function FDH 
read from the memory 12 are stored in memory 12 within the user terminal together as P' = 
(T + p' (x), FDH). 

<Sever update process> 

(l) Use of polynomial equation and FDH function (l) and use of polynomial equation and 
FDH function (2) 

First, update process of the server 2 when initialized using polynomial equation and 
FDH function (l) and when initialized using polynomial equation and FDH function (2) is 
described with reference to Fig. 10. The server 2 operates as follows regardless of using a 
polynomial equation and FDH function (l) or a polynomial equation and FDH function (2) 
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described above. 

First, the user ID and password verification data H stored in memory 41 within the 
server 2 are read. After receiving a value IT for server update sent from a user terminal and 
the password verification data H read from memory 41, an update value generator 21 
generates an updated password verification data H for server storage. The updated 
password verification data H can be calculated for example as H = p (l) + t' (l) mod N. The 
updated password verification data H is stored in memory 41 within the server. 

(2) Use of master key 

Next, update process of the server 2 when using a master key is described hereinafter 
with reference to Fig.20. 

First, a master key generator 62 generates a master key T. Then, the user ID and 
password verification data H stored in memory 41 within the server 2 are read. After 
receiving the master key T and the password verification data H read from the memory 41, 
an update value generator 27 generates an updated password verification data H for server 
storage. The updated password verification data H can be calculated for example as H = p 
(l) + T mod N. The updated password verification data H is stored in memory 41 within the 
server. 

<Password verification data update — 2> 

When a user wants to update the password verification data already registered to a 
server together with changing the password, the user updates his own terminal. Fig. 11 is a 
block diagram showing the configuration of the update process of a user terminal. In the 
update process, after receiving a secret value S' from a secret value generator 15, a new 
password PW to be remembered by the user, and P' stored in the memory within the user 
terminal 1, a password verification data updater 16 generates a password verification data 
H' for server update and an updated P* for memory 12. H' is sent to the server and the 
updated P is stored in memory 12. In this instance, the update process is applicable to the 
use of FDH function described above. The update process can prevent replay attacks on the 
server as well. In the same way, the use of polynomial equation and FDH function (1) and 
polynomial equation and FDH function (2) described above can be applied by following a 
similar operation of each initialization process. Therefore, these explanations are omitted 
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here. 

<Terminal update process> 
(1) Use of FDH function 

First, update process of the terminal 1 when initialized using FDH function is described 
hereinafter with reference to Fig. 11. 

First, the secret value generator 15 randomly generates a secret value S\ Then, P' = (S, 
FDH) stored in the memory 12 within the user terminal 1 is read. After receiving a new 
password (PW) to be remembered by the user and the FDH function FDH and secret value 
S\ a password verification data updater 16 generates an updated P' for memory 12 and a 
password verification data H* for server update. The password verification data H' for 
server update can be calculated for example as H' = FDH (S' I I PW I I ID (U) I I ID (S)). In 
this instance, ID (U) and ID (S) represent a user ID and a server ID, respectively. The 
password verification data H' for server update needs to be sent to the server in a secure 
manner in which the user gives it to the server administrator directly, by mail or by 
telephone. The updated P' = (S\ FDH) is stored in the memory 12 within the user terminal 
1. 

<Sever update process> 
(1) Use of FDH function 

Next, update process of the server 2 when initialized using the FDH function is 
described hereinafter with reference to Fig. 12. 

First, the user ID and password verification data H stored in the memory 41 within the 
server 2 are read. After receiving a password verification data H' for server update sent 
from user terminal 1 and the password verification data H read from the memory 41, a 
password verification data updater 22 updates the password verification data H to H' sent 
from the user terminal 1. The updated password verification data H = H' is stored in the 
memory 41 within the server. 



As described above, when initialized using a polynomial equation a user password is 
information-theoretically secure in the sense that someone who is attempting unauthorized 
use of the user's terminal cannot get any information about the password. Even if someone 
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(e.g., an attacker or a server administrator) steals information stored in the server by 
hacking or using virus, the user's password is information-theoretically secure. When 
initialized using a hash function, a pseudo random number generator or a FHD function, a 
user password is computationally secure against someone attempting unauthorized use of 
the user's terminal. 

Next are descriptions of a remotely-distributed storage system that is one application of 
the authentication system described above. 

<Data storing process of a remotely-distributed storage system when distributed data is not 
stored on terminal> 

First, data storing process of a remotely- distributed storage system when distributed 
data is not stored in the terminal is described hereinafter with reference to Fig.21. Fig.21 is 
a block diagram showing the configuration of a remotely-distributed storage system 5 when 
distributed data is not stored on the terminal. 

The user processes data DATA, to be distributed and stored, on his own terminal 21 and 
divides it into data S'l, S'n for n servers. The divided data S'i is sent and stored on a 
server IDi together with a data ID DID by means of a communication unit 52 that can use a 
secure communication path created by the user terminal 21 using a session key SKi shared 
with the authentication server. Similarly, list information of the stored data can be divided 
and stored in the servers. Meanwhile, the user terminal (password verification update 
mode) is operated at specific intervals (intervals smaller than the interval in which the 
password can be obtained through off-line dictionary attacks, for example, everytime the 
authentication is conducted, or once in two or three days) to generate information UP', UH1, 

UHn for updating F and H stored on each server and update them. 

In this way, both the data stored on the servers and the authentication data can be 
robust against leakage and damage. Resistance to leakage and damage can be expressed by 
four sets of parameters (n, DS, LSI, LS2). DS, LSI and LS2 are sets of combinations of 
entities (subject to leakage and damage) where DS represents resistance to data damage 
and LSI and LS2 represent resistance to data leakage. DS describes a combination of 
entities that can be damaged, and in any combination of damage the user can restore his 
own data even if the stored data including local backups is completely unusable, for 
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example, because of a disaster. LSI describes a combination of entities in which the 
recorded information can be leaked. That is, in any combination of leakage, it is difficult for 
the attacker to restore the stored data. LS2 describes a combination of entities for which 
some countermeasure is taken when the recorded information is leaked. That is, in any 
combination of leakage the countermeasure makes it difficult for the attacker to restore the 
stored data. 

Usually, we assume that the user's password is small enough for an attacker to do 
exhaustive search off-line. When a previous authentication system vulnerable to leakage is 
used, the attacker can totally search out the user's password using leaked information and 
information on communication paths. Consequently, the attacker can pretend to be the user 
and obtain all of the data remotely distributed and stored. In other words, LSI could not 
include server {S} and user's possession {U}, respectively. Conversely, by using an 
authentication system robust to leakage LSI can include server {S} and user's possession 
{U}. All of the remote authentication systems including ones robust to leakage allow for an 
attacker to search for the user's password when information is leaked from both the user 
possession {U} and the server {Sh As a result, it is possible for the attacker to pretend to be 
the user and obtain all of the remotely distributed and stored data. Therefore, LS2 could 
not include a combination {US} of user possession {U} and server {S}. However, by updating 
P' and HI, Hn LS2 can include combinations of user possession and server. 

Next, configuration of the data divider 51 shown in Fig. 21 is described hereinafter with 
reference to Fig. 22. An adjustor 511 supplies input parameters n and k to a secret 
distributor 512. The secret distributor 512 converts stored data DATA to (k, n) distributed 
data Si, S2, Sn in accordance with the input parameters n and k. Then, the adjustor 511 
generates an input x for a data extender 513 based on the data ID DID and supplied it to 
the data extender 53. The data extender 513 outputs and supplies a corresponding 
information H to an encoder 514. In this instance, H has a length enough to be robust 
against off-line exhaustive search. If the data extender 513 outputs a short H, multiple 
different inputs x are provided to the data extender and the resultant multiple outouts H 
are used. The encoder 514 encodes n— k+1 or more distributed data using H as a key. Each 
SI, Sn-k+1 can be appended with an error detecting code. The output S'l, S'n of the 
encoder 514 constitutes the output of the data divider 51 together with DID, ID1, ID2, 
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IDn. 

In this instance, (k, n) distributed data are obtained by dividing the original data into n 
sets* the original data can be restored using any k data, however, the original data cannot 
be restored using less than k data. Instead of (k, n) distributed data, any access structure 
can be used for distributed data. Furthermore, the secret distributor can be realized by not 
only utilizing a polynomial equation or a matrix for information-theoretic security, but also 
using encryption process to reduce the size of distributed data for computational security. 

The data divider 51 realizes (n, DS, LSI, LS2} = (n, {CSn-k}, {UC, CSn}, {UCSk-l}}. 
{CS} comprises all and part of the stored information of client and servers. {Sn} comprises 
all and part of the stored information of n servers. {C, S} comprises "all and part of the 
stored information of clients and all and part of the stored information of servers", 
respectively. Leakage from {UCSk— 1} can be handled using the authentication information 
update process. If the authentication information is updated while an attacker is trying to 
obtain the user's password from {UCSk— l}, the attacker cannot obtain the data. A solution 
to the loss of user possession {U} (loss of P') is to locally copy the data recorded as {U} 
whenever each update is run. A solution to the danger, caused by damaged local copies and 
{U} as a result of a disaster, is to divide the data recorded in {U} by a secret distributor into 
(k', n) distributed data and to save each on the corresponding server. When k' >= k, (n, DS, 
LSI, LS2) = (n, {UCSn-k\ CSn-k}, {UC, CSk'-l}, {UCSk-l}) is realized. When k'< k, (n, DS, 
LSI, LS2) = (n, {UCSn-k, CSn-k}, {UC, CSk'-l}, {UCSk-l, CSk-l}) is realized. 

Moreover, if all or some of the data recorded in the user possession and password is/are 
divided by a secret distributor into (k*, n) distributed data and stored in each server, the 
(recorded information in the possession and) password can be restored through off-line 
dictionary attacks even if the user forgets the password. In this case, l) off-line analysis can 
be skipped when all the data is distributed" and 2) the computation cost required for off-line 
analysis can be reduced depending on the amount when some of the data is distributed. 
With this functionality, the user can control the level of restoring the data (which is the 
same level of restoring the data as the case when an attacker obtains {CSk*}) when the user 
grants to a third party the right to decrypt the data. 

<Data decoding process of a remotely-distributed storage system when data is not stored on 
the terminal> 
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Next, data decording process of a remotely-distributed storage system when data is 
not stored on the terminal is described hereinafter with reference to Fig. 23. Fig. 23 is a 
block diagram showing the configuration of a remotely distributed storage system 5 when 
data is not stored on the terminal. 

A data decoder 54 receives at least k distributed data sets corresponding to an input 
DID among distributed data sets S'l, S'n from servers IDl, ID2, IDn via a 
communication unit 52. The data decoder 54 decodes at least k sets of distributed data 
among S'l, S'n to restore DATA. In the same way, a list of stored data can be restored. A 
user terminal 21 (in authentication data update mode) is operated at appropriate intervals 
(at intervals smaller than the interval of when the password can be found with off-line 
dictionary attacks, for example, every time the authorization is conducted or once in two or 
three days) to generate information UP', UH1, UHn for updating P* and H stored on 
each server and update them. 

Next, configuration of the data decoder 54 shown in Fig. 23 is described hereinafter 
with reference to Fig. 24. An adjustor 541 outputs n input server IDs, IDl, ID2, IDn and 
DID. The adjustor 541 also generates an input x for a data extender 542 based on DID and 
supplies it to the data extender 542. The data extender 542 outputs the corresponding 
information H and supplies it to a decoder 543. The decoder 543 decodes encoded 
distributed data among the sets S'l, S'2, S'n and supplies Si, S2, Sn to a secret 
retrieval unit. The secret retrieval unit 544 restores DATA from the supplied distributed 
data. In this instance, un* altered k distributed data sets can be supplied after error 
detection is conducted. 

<Data storing process of a remotely-distributed storage system when distributed data is 
stored on the terminal> 

Next, data storing process of a remotely- distributed storage system when distributed 
data is stored on the terminal is described hereinafter with reference to Fig. 25. Fig.25 is a 
block diagram showing the configuration of a remotely-distributed storage system 5 when 
distributed data is stored on the terminal. Here, only the different part from the 
configuration shown in Fig. 21 is described. 

The user processes data DATA that he/she wants to distribute with his own computer 
21 and separates data DL to be stored from data RS'l, RS'n to be stored in n servers. DL 
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is stored on a recording unit 55 at the user side and divided data RS'l is sent to a server 
IDi together with a data ID DIA through a secure communication path created by user 
terminal 21 using a key SKi shared with an authentication server. In the same way,, a list 
information of stored data can be divided and stored on the servers. 

In this way, the communication cost with the server is reduced by strong part of the 
distributed data on the user's terminal 21. The system can be configured with variable or 
fixed communication cost depending on combinations of servers that may be damaged. In 
particular, the system with variable communication cost can reduce storage space 
throughout n servers. Moreover, resistance to leakage and damage can be maintained at 
the same level as when the data is not stored at the user side. 

Next, configuration of the data divider 51 shown in Fig. 25 is described hereinafter with 
reference to Fig. 26. Here, only the different part from the configuration shown in Fig. 22 is 
described. An encoder 515 receives a random number R from a random number generator 
516 and, using it as a key encodes and outputs the data to be stored as DL. An adjuster 511 
supplies input parameters n and k to a secret distributor 512. The secret distributor 512 
converts R to (k, n) distributed data RSI, RS2, RSn in accordance with the input 
parameters n and k. Then, the adjuster 511 generates an input x for a data extender 513 
from a data ID DID and supplies it to the data extender 513. The data extender 513 outputs 
and supplies a corresponding information H as a key to an encoder 514 where H has a 
length enough to be robust to off-line exhaustive search. When the data extender 513 
outputs a short H, multiple different inputs x are supplied to the data extender 513 and the 
resultant multiple outcomes H are used. The encoder 514 encodes n-k+1 or more 
distributed data using H as a key. Each RSI, Rn-k+1 can be appended with an error 
detection code. The output of the encoder is RS'l, RS'n. 

Instead of (k, n) distributed data, any access structure can be used for the distributed 
data. Furthermore, the secret distributor 512 can be realized by not only utilizing a 
polynomial equation or a matrix for information- theoretic security, but also using 
encryption process for computational security. If the size of R is small, it had better to 
realize the secret distributor 512 with information- theoretic security since the distributor 
with computational security has little effect on reducing the size. 
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<Data decoding process of a remotely-distributed storage system when distributed data 
is stored on the terminal> 

Next, data decoding process of a remotely-distributed storage system when distributed 
data is stored on the terminal is described hereinafter with reference to Fig. 27. Fig.27 is a 
block diagram showing the configuration of a remotely- distributed storage system 5 when 
distributed data is stored on the terminal. Here, only the different part from the 
configuration shown in Fig. 23 is described. 

A data decoder 54 receives at least k distributed data sets corresponding to an input 
DID among RS'l, RS'n from servers IDl, ID2, IDn via a communication unit. The 
data decoder 54 processes at least k distributed data sets among RS'l, RS'n and restores 
DATA. In the same way, a fist of stored data can be restored. 

Next, configuration of the data decoder 54 shown in Fig. 27 is described hereinafter 
with reference to Fig. 28. Here, only the different part from the configuration shown in Fig. 
24 is described. An adjustor 541 generates an input x for a data extender 542 based on DID 
and supplies it to the data extender 542. The data extender 542 outputs a corresponding 
information H and supplies it to a decoder 543. The decoder 543 decodes encoded 
distributed data among the obtained RS'l, RS'2, RS'n and supplies RSI, RSn to a 
secret retrieval unit 544. The secret retrieval unit 544 restores DATA from the supplied 
distributed data sets using a decoder 545. Moreover, un-altered k distributed data can be 
supplied after error detection is conducted. 

The authentication and key exchange processes can be executed by recording programs, 
for executing the functions of the processes shown in the figures, on a computer read/write 
recording medium and by loading and executing the programs recorded on the recording 
medium on a computer system. In this instance, the "computer system" includes OS or 
hardware such as peripheral devices. Moreover, the "computer system" includes WWW 
systems with website environments (or presentation environments). The "computer 
read/write recording medium" means portable media such as flexible discs, 
magnetic-optical discs, ROMs, CD-ROMs and storage devices such as hard disks contained 
in computer systems. Moreover, the "computer read/write recording medium" includes 
those that retain programs for a specified period of time such as volatile memory (RAM) in 
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a server or client computer system when the programs are transferred via networks such 
as the Internet and communication lines such as telephone lines. 

The above programs can be transferred from a computer system in the memory of which 
the programs are stored to other computer systems via transmission media or transmitted 
waves in the transmission media. In this instance, the "transmission media" means media 
having the function of transmitting information including networks (communication 
networks) such as the Internet and communication lines (communication wires) such as 
telephone lines. The above programs can be those that realize some of the described 
functions. Moreover, the programs can be so-called difference files (difference programs) 
that realize the described functions in a combination of programs recorded on computer 
systems. 

INDUSTRIAL APPLICATIONS 

With the present invention, a password cannot be found through off- line dictionary 
attacks even if stored information is leaked from the terminal or from the server so that it 
can prevent unauthorized use of the server. Moreover, the lack of tamper resistance module, 
used for protection of stored information from lost or stolen devices, makes the 
configuration simple as much as possible. There is no need to have a complex key 
management process such as a public key infrastructure, which can improve the 
computational process and simplify the overall process. In addition, extension to the 
multiple servers is easily realized. 

A user ID is dynamically and synchronously changed between each server and the 
terminal so that it makes impossible for an eavesdropper to connect the privacy 
information of a user using a user ID. 



